Solved

Account Lockout

Posted on 2011-03-08
7
373 Views
Last Modified: 2012-05-11
I have a few user accounts.  Mine being one of them that keep getting locked out.  I checked the security logs on the system and it is constantly coming from a single machine on the network.  This just started today.  If I turn the machine off then all is well.  If I turn it back on...  well I'm guessing one of the services is using credentials.  The other is a user that is no longer with the company, and who's account has been disabled for quite some time.  Is there a way I can find out what services are using these credentials on the server??  Any guidance would be greatly appreciated.
0
Comment
Question by:Infamous_Q
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 35075064
0
 
LVL 3

Expert Comment

by:Rhyseh
ID: 35075145
We had a similar issue some years ago where one of our servers missed an update and got a malware infection. It then proceeded to attempt and brute force its way into our network by repeatedly sending validation requests with random users account names. This cause the accounts to become locked.

We fixed this by patching the server and manually stamping out the infection, however if this is a client machine I would just give it a reimage and get rid of this headache.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35077481
Since you traced it to one computer, you are already half way there. Next you have to check all services.

BTW, what OS is the offending machine running? If Windows 2000 + then go to start\run\ and then type services.msc and press OK. This will start the services applet. In here check the Log On As Column to see if the account that is being locked out is there.

Also, internet explorer might be trying to access a server with the username that is locked out. Check all passwords that are stored on the machine. In XP you can type control userpasswords2 and see all the username/passwords stored. In Win7, open control panel, go to user accounts then click on Manage your credentials. Also, you can use Internet Explorer to delete all history,stored forms passwords etc.

The last thing to check is if there is any program running that might be trying to login to your servers. Open up the Task Manager and see if there is any "dodgy" process. Kill it and try to stop it from starting again, restart the computer and monitor.

It is a slow process to get this sorted but if you follow the correct path, you will get there.

Regards
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 3

Expert Comment

by:sam0x01
ID: 35079267
Any authentication request from that computer could be causing it.

This may come from a service, scheduled task, program that runs in the backgound.

Running schtasks /v on the computer or schtasks /S [computername] /v remotely while the computer is powered on will show the scheduled tasks and the credentials they run under

Running wmic service get displayname,state,startname will show the services, state and username

Running wmic /node:[computername] service get displayname,state,startname remotely will do the same.

If this is a program not runnign as a scheduled task or a service, if it is a desktop, rebuilding it would bethe easiest thing to do.

Otherwise opening each installed program and script on the server will eventually find the one that is causing it.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35083955
Thanks for all of the advice.  I will be working on this issue today to see where the problem is.  I'll post an update as soon as I have something.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35096137
So the services on the system are all running as local or network services, and I just finished running a full scan for virus/spy ware.  Nothing so far. there are also no scheduled tasks on the machine.  To answer an above question this is a server 2003 machine.  However its not running all of the latest updates.  I will update the machine and install the lockout tools and post results.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35117149
I updated the system to the most recent.  And Used the tools.  After finding the reason using the tools I was able to kill the rogue service and fix things.  Thanks Very much for all of your help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question